CMPT 371 Data Communications and Networking Network Layer NAT, IPv6 0 © Janice Regan, CMPT 128, 2007-2012 Private networks Recall that several blocks of addresses are reserved for local addresses 10.0.0.0/8 (10.0.0.0 - 10.255.255.255) 172.16.0.0/12 (172.16.0.0 - 172.31.255.255) 192.168.0.0/16 (192.168.0.0 - 192.168.255.255) These addresses can be utilized by using network address translation (NAT) © Janice Regan, 2007-2012 1 IPv4 local addresses A local network may use local addresses taken from the blocks on the previous slide These addresses are non-routable addresses and may be used on within the local network These addresses are not considered valid addresses on the Internet These addresses are valid only within the local network To communicate with the internet one or more routable addresses are needed Network address translation must occur on the router connecting the local network to the internet © Janice Regan, 2007-2012 2 Types of NAT implementation Static NAT Dynamic NAT Overloaded NAT (NAPT network address port translation) 3 © Janice Regan, 2007-2012 Static NAT 192.168.3.1 24.16.47.23 192.168.3.2 192.168.3.3 192.168.3.4 24.16.33.47 NAT router 192.168.3.5 24.16.33.49 192.168.3.7 192.168.3.6 Private network internet 24.16.77.12 4 © Janice Regan, 2007-2012 Static NAT Some machines on the internal network need internet access (192.168.3.3, 192.168.3.6) There are several globally valid internet addresses available to the router connected to the local network (24.16.33.47, 24.16.33.49) Each of the hosts that need internet access are permanently allocated one of the available globally valid internet addresses 192.168.3.3 ↔ 24.16.33.47 192.168.3.6 ↔ 24.16.33.49 All other hosts have no connectivity to the internet 5 © Janice Regan, 2007-2012 Packet transmission through a static NAT (1) When 192.168.3.3 sends a packet to 24.16.47.23 it is received by the NAT router The sending host is unaware of the NAT. The NAT replaces the local source address 192.168.3.3 with the corresponding globally valid address 24.16.47.23, recalculates the TCP or UDP checksum if necessary (if packet is TCP or UDP) then forwards the packet toward the destination. © Janice Regan, 2007-2012 6 Packet transmission through a static NAT (2) The destination host sees the NAT’s replacement address, 24.16.47.23, as the IP of the source and sends its reply to that IP address The NAT receives the reply Removes the destination address (its own address) from the packet Replaces the destination address with the corresponding internal address, 192.168.3.3 For UDP or TCP packets recalculates the checksum Forwards the packet to the internal source © Janice Regan, 2007-2012 7 Dynamic NAT Establishes a 1-1 relationship between non- routable internal addresses and the globally valid IP addresses assigned to the NAT. The non routable address bound to each globally valid address may change over time as communications are initiated and completed 8 © Janice Regan, 2007-2012 Dynamic NAT operation Similar to Static NAT except Pool of available globally valid IP addresses Each time an internal host begins communication with the internet the first packet destined for the internet will reach the NAT enabled router The NAT enabled router will take the next available globally valid IP address from the pool and assign it to the internal host When communications is complete address will be replaced into the pool © Janice Regan, 2007-2012 9 NAPT (network address port translation) NAT overloading or NAPT Again, the local network uses locally valid non-routable IP addresses (not globally valid) In this configuration the NAT allows more than one local host to use the same globally valid internet address The NAT has one or more globally valid IP addresses Communications with different hosts are differentiated by using different port numbers (transport layer) This is not a use of port numbers that is consistent with the layered design of the protocol stack, port numbers are not part of the network layer addresses, ports are designed for end to end communications not to be changed at each intermediate station Using ports in this way also causes other problems 10 © Janice Regan, 2007-2012 Overloaded NAT 192.168.3.1 24.16.47.23: 192.168.3.2 192.168.3.3 192.168.3.4 24.16.33.47 NAT router 192.168.3.5 24.16.33.49 192.168.3.7 192.168.3.6 Private network internet 24.16.77.12 11 © Janice Regan, 2007-2012 Overloaded NAT Example Source Computer Source Port NAT IP NAT port 192.168.3.1 1350 24.16.33.47 1200 192.168.3.2 1352 24.16.33.47 1201 192.168.3.3 1400 24.16.33.47 1202 192.168.3.4 1450 24.16.33.49 1200 192.168.3.5 555 24.16.33.49 1201 192.168.3.6 1666 24.16.33.47 1203 © Janice Regan, 2007-2012 12 NATP example (1) A host on the local network, say 192.168.3.5, sends a packet to an external host, 24.16.47.23 through port 555 The NAT enabled router receives the packet from the local host 192.168.3.5 The NAT enabled router stores the source IP and port number in its address translation table The NAT enabled router replaces the IP and port number in the packet with those it stores in the address translation table for this connection (for this example 24.16.33.49 and 1201) The NAT enabled router recalculates the UDP or TCP checksum (for UDP and TCP packets) before forwarding the packet to the destination 13 © Janice Regan, 2007-2012 NATP example (2) When the destination receives the packet it will appear to have come from the NAT (24.16.33.49). Any responses will be sent to 24.16.33.49, and thus be received by the NAT router The NAT router will check the destination port in the response packet By referring to the address translation table the NAT router will find the local non-routable address and port that corresponds. The NAT router will replace the destination port and IP address with the local non-routable address and the corresponding port, recalculate the checksums as needed, and forward the packet to the original source host 14 © Janice Regan, 2007-2012 Problems with NAPT Although NAPT is the most commonly used form of NAT it causes some serious difficulties The most common encryption and authentication mechanisms used in the IP layer do not function when NAPT is used. It requires yet more serious violations of design principles to patch these problems (only some can be patched) Servers that require connection to a particular port can only be run on one machine (the one that is using that port in the NAPT mapping). P2P applications require servers run on each peer, therefore P2P applications will break unless extraordinary measures are taken. (connection reversal: connect to a machine outside local net directly, P2P connection goes through that machine, breaks security) 15 © Janice Regan, 2007-2012 Change IP, other solutions? Address space exhaustion (temporary solution CIDR) Two level addressing (network and host) results in many unused addresses. Addresses committed even if not used or potentially used for growth of network. Growth of networks and the Internet Extended use of TCP/IP Lack of security and authentication Temporary solution: IPsec retrofit to IPv4 Requirements for new types of service temporary solution: differential services replaces TOS Not able to guarantee real-time transmission of services like video or audio 16 © Janice Regan, 2007-2012 Improvements in IPv6 (1) Expanded address space: 128 bit addresses Improved option mechanism: Additional separate optional headers between IPv6 header and transport layer header. Fixed length (40 byte) primary header Most additional headers are not examined by intermediate routers, improving processing speed at intermediate routers and simplifying router processing. It is easier to add options by adding more intermediate headers Address autoconfiguration: Allows dynamic assignment of addresses 17 © Janice Regan, 2007-2012 IPv6 Improvements (2) Increased addressing flexibility: Anycast - delivered to one of a set of nodes Improved scalability of multicast addresses Support for resource allocation: Labeling of packets to particular traffic flow Allows special handling (e.g. Support real time streams for applications such as video ) Replaces type of service New version of ICMP ICMPv6 (RFC 2463) Functionality of ICMPv4 and ARP (RFC 2461) in neighbor discovery, and IGMP (RFC 2710 3810) in the multicast listener discoverer, all combined in one protocol © Janice Regan, 2007-2012 18 IPv6 packet Structure IPv6 Hop by Hop header header header Authentication Encapsulating Security header Destination Options Transport header header header © Janice Regan, 2007-2012 Destination options Routing Fragment header header DATA 19 IP v6 Header Figure 33.2 Comer (2000) © Janice Regan, 2007-2012 20 IP v6 Header Fields (1) Version (4 bits): 6 Traffic Class (8 bits): Experimental: indicates class or priority of packet. Still undefined, provides way for application to experiment with class Flow Label (20 bits): Experimental: Indicates that packet belongs to a specific sequence of packets that can be reference by flow number. Used by hosts requesting special handling of such a sequence of packets. Multiple sequences can flow between the same hosts, each packet in a sequence must have identical Hop by Hop and routing headers and IPv6 addresses. © Janice Regan, 2007-2012 21 IP v6 Header Fields (2) Payload length (16 bits): Includes all extension headers plus user data. Next Header (8 bits): Indicates the type of the first extension header or in the absence of extension headers the protocol for the next layer up (same as for IPv4). Hop Limit (16 bits): maximum number of allowed hops (0-255). When number is exceeded ICMPv6 Time Exceeded message is sent Source Address (128 bits) Destination address (128 bits) © Janice Regan, 2007-2012 22 IPv6 Addresses (1) 128 bits long represented as a hexadecimal number separated by colons. Divided into 8 16 bit blocks each represented by 4 hexadecimal digits. Leading zeros can be omitted, but one zero remains if all 4 hexadecimal digits are zero. 1080:0:0:0:8:8A0:200C:417A One string of single colon separated zeros can be abbreviated to a :: (Not more than one) 1080:0000:0000:0000:0008:08A0:200C:417A 1080::0008:08A0:200C:417A Uses prefixes: same as CIDR like notation e.g. 21DA:D3:0:2F3B::/64 to denote the network prefix (network address of length 64 is 21DA:D3:0:2F3B) © Janice Regan, 2007-2012 23 IPv6 Addressing Three types of address Unicast to a single interface Multicast to a set of interfaces Delivered to all interfaces identified Interfaces may be on different network segments Broadcast is treated as a special case of multicast Anycast Set of interfaces (typically different nodes) Delivered to any one of set (nearest) interface Allocated from aggregable global unicast addresses © Janice Regan, 2007-2012 24 IPv6 Fragmentation Fragmentation only allowed at source No fragmentation at intermediate routers Node must perform path discovery to find smallest maximum transmission unit (MTU) of intermediate networks or use minimum MTU size of 1280 octets Source fragments to match MTU Fragmentation algorithm is the same as IPv6 Reduces load at intermediate hosts/routers © Janice Regan, 2007-2012 25 Transition IPv4 to IPv6 (1) During transitions IPv6 hosts will retain a IPv4 protocol stack to use for communication with iPv4 networks. (dual stack approach) IPv6 IPv6 IPv4 IPv4 Y A B C IPv6 IPv6 D E Host A and Host D are both IPv6 enabled but are communicating using IPv4. Want them to use more efficient IPv6 © Janice Regan, 2007-2012 26 Transition IPv4 to IPv6 When IPv6 hosts communicate through an IPv4 network the IPv6 packets should be encapsulated in IPv4 packets an sent through a tunnel IPv6 IPv4 IPv6 IPv4 IPv6 IPv6 Tunnel IPv6 packet inside IPv4 packet IPv4 header IPv6 header IPv6 data IPv4 data © Janice Regan, 2007-2012 27